One flaw to rule the root.

CISA issues an urgent warning about active exploitation of a critical vulnerability in the sudo utility. Broadcom patches two high-severity vulnerabilities in VMware NSX. South Korea raises its national cyber threat level after a datacenter fire. Formbricks patches a critical token validation flaw. Microsoft blocks a credential phishing campaign that made use of malicious SVG files. Landlords are accused of scraping sensitive payroll data. Cybercriminals lay the groundwork for large-scale FIFA fraud. Burnout takes a heavy toll on cybersecurity professionals. On our Threat Vector segment, host David Moulton⁠ is joined by⁠ Kyle Wilhoit⁠ talking about the evolution of hacker culture and cybersecurity. London police bag the biggest bitcoin bust.

Today is Tuesday September 30th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA issues an urgent warning about active exploitation of a critical vulnerability in the sudo utility. 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about active exploitation of a critical vulnerability in the sudo utility, a core Linux and Unix tool. Tracked as CVE-2025-32463, the flaw affects sudo’s –R (chroot) option, allowing attackers with limited sudo rights to bypass restrictions and gain full root access. CISA warns that successful exploitation could result in complete system compromise, enabling data theft, service disruption, or malware installation. The agency urges administrators to identify vulnerable systems, apply vendor patches, or disable the chroot option until fixes are available. The flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on September 29, 2025, with mitigations required by October 20. CISA stresses proactive patching as essential defense.

Broadcom patches two high-severity vulnerabilities in VMware NSX. 

Broadcom has issued security updates addressing two high-severity vulnerabilities in VMware NSX, both reported by the U.S. National Security Agency. VMware NSX, part of VMware Cloud Foundation, supports networking virtualization for private and hybrid clouds. The flaws, tracked as CVE-2025-41251 and CVE-2025-41252, allow unauthenticated attackers to enumerate valid usernames, potentially enabling brute-force or unauthorized access attempts. Broadcom also patched a separate high-severity SMTP header injection flaw in VMware vCenter (CVE-2025-41250) and disclosed three vulnerabilities in VMware Aria Operations and VMware Tools that could permit privilege escalation, credential theft, and cross-VM access. These updates follow earlier fixes to zero-days exploited at Pwn2Own Berlin 2025 and by attackers in the wild. VMware products remain frequent targets for state-sponsored groups and cybercrime gangs.

South Korea raises its national cyber threat level after a datacenter fire. 

South Korea has raised its national cyber threat level after a fire at a government datacentre in Daejeon crippled critical digital infrastructure. The blaze, caused by ignited lithium-ion batteries during replacement work, shut down 647 government systems, halting email, intranet, banking, tax, real estate, and healthcare services. As of Tuesday, 89 systems were restored, but 96 were destroyed and will require weeks to rebuild, leaving disruptions expected through the Chuseok holiday. The intelligence service warned hackers may exploit the weakened systems during recovery. President Lee Jae Myung apologized, criticizing the lack of backup protocols as “foreseeable.” With the upcoming APEC summit, concerns about resilience and preparedness have intensified, while political leaders face growing criticism over South Korea’s digital reliability.

Formbricks patches a critical token validation flaw. 

Formbricks, an open-source experience management platform, has patched a critical flaw (CVE-2025-59934, CVSS 9.4) that could let attackers hijack accounts with forged authentication tokens. The issue stemmed from improper JSON Web Token validation, where the software decoded tokens instead of verifying them, accepting the insecure “alg: none” option. Exploitation required only a victim’s predictable user identifier, enabling password resets and full account takeover. Versions prior to 4.0.1 are vulnerable. Users should upgrade immediately to version 4.0.1 or later.

Microsoft blocks a credential phishing campaign that made use of malicious SVG files. 

It comes as no surprise that cybercriminals are leveraging artificial intelligence to create highly sophisticated phishing attacks that evade traditional defenses. Microsoft Threat Intelligence recently blocked a credential phishing campaign on August 18 that primarily targeted U.S. organizations. The attack used a compromised business email account to send what looked like a PDF file but was actually an SVG file laced with disguised malicious code. The payload redirected victims to a fake sign-in page, with its code structure suggesting large language model (LLM) involvement. Microsoft’s Security Copilot determined the complexity was unlikely from a human author. Microsoft Defender for Office 365 ultimately stopped the campaign by detecting behavioural anomalies. Experts warn that AI-assisted phishing represents a major shift, urging organizations to focus on identity observability and behavioral detection to counter AI-scaled deception.

Landlords are accused of scraping sensitive payroll data. 

Some U.S. landlords are requiring prospective tenants to use screening tools that log directly into employer systems and scrape sensitive payroll data, according to 404 Media. One renter in Atlanta said ApproveShield, powered by a service called Argyle, harvested far more than the requested four paystubs, downloading every payslip and W-4 from Workday going back to 2024. The renter described the process as “credential harvesting,” since Argyle required corporate HR logins, raising concerns about potential violations of U.S. hacking laws. ApproveShield allegedly knew the 60-day requirement but still mined excessive data. Critics warn that refusing to participate effectively bars tenants from housing. Similar practices reportedly involve other companies, including PayScore, Nova Credit, and Snappt. Neither ApproveShield nor Argyle responded to requests for comment.

Cybercriminals lay the groundwork for large-scale FIFA fraud. 

With the 2026 FIFA World Cup still months away, cybercriminals are already laying groundwork for large-scale fraud. Researchers at CheckPoint identified more than 4,300 suspicious domains registered since August 2025, many in synchronized bursts and clustered around a few registrars. These domains mimic official branding to push counterfeit tickets, fake merchandise, and malware-laced streams. Evidence also suggests botnets are being prepared to flood ticket queues, distort prices, and enable large-scale resales. Fraudulent activity extends beyond domains into Telegram, dark-web markets, and social media channels, forming a multi-platform ecosystem. Experts warn this isn’t random opportunism but coordinated infrastructure designed well in advance. Defenses must begin now, including registrar cooperation, anti-bot protections, and public awareness campaigns, to prevent scams from overshadowing the tournament.

Burnout takes a heavy toll on cybersecurity professionals. 

Burnout is taking a heavy toll on cybersecurity professionals, who often pour their passion into protecting organizations while facing relentless pressure, the BBC reports. Tony, who left his role at a major UK ecommerce firm, described sleepless nights, overwhelming workloads, and the strain of nonstop incident readiness. Others, like former UK Health Security Agency leader Andrew Tillman, call cybersecurity “the best job in the world” but also a “dangerous place” when stress mounts unchecked. Studies show declining job satisfaction, with professionals asked to “do more with less” while remaining on call around the clock. Experts warn that constant alerts, nation-state threats, and blame culture fuel exhaustion, especially for younger workers. Initiatives like Cybermindz advocate treating burnout with the seriousness of other frontline professions, urging proactive support and early recognition of warning signs.

London police bag the biggest bitcoin bust in history. 

It’s not every day the police stumble across £5 billion in bitcoin, but that’s exactly what London’s Metropolitan Police bagged in the world’s largest crypto seizure. At the center of it all is Zhimin (Jimin Chan) Qian—also known as Yadi Zhang (Jang)—who pled guilty to running a scam in China that duped 128,000 victims between 2014 and 2017. She fled to the UK with false documents, tried laundering her digital fortune into property, and instead earned herself a court date at Southwark Crown. Along the way, her accomplice went from takeaway worker to mansion-dweller before being jailed too. Prosecutors note that criminals love crypto’s cloak of invisibility, but this seven-year investigation proves the blockchain isn’t always the perfect hiding place. Qian’s sentencing is still pending.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.